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Abstract. Until is a notoriously difficult temporal operator as it is both 
existential and universal at the same time: AUB holds at the current 
time instant w iff either B holds at w or there exists a time instant 
w' in the future at which B holds and such that A holds in all the 
time instants between the current one and w' . This "ambivalent" nature 
poses a significant challenge when attempting to give deduction rules for 
until. In this paper, in contrast, we make explicit this duality of until by 
introducing a new temporal operator V that allows us to formalize the 
"history" of until, i.e., the "internal" universal quantification over the 
time instants between the current one and w' . This approach provides 
the basis for formalizing deduction systems for temporal logics endowed 
with the until operator. For concreteness, we give here a labeled natural 
deduction system for a linear-time logic endowed with the new history 
operator and show that, via a proper translation, such a system is also 
sound and complete with respect to the linear temporal logic LTL with 
until. 



1 Introduction 

Until is a notoriously difficult temporal operator. This is because of its "am- 
bivalent" nature of being an operator that is both existential and universal at 
the same time: AUB holds at the current time instant (sometimes "world" or 
"state" is used in place of "time instant") w iff either B holds at w or there 
exists a time instant w' in the future at which B holds and such that A holds 
in all the time instants between the current one and w' . The words in emphasis 
highlight the dual existential and universal nature of U, which poses a significant 
challenge when attempting to give deduction rules for until, so that deduction 
systems for temporal logics either deliberately exclude until from the set of op- 
erators considered or devise clever ways to formalize reasoning about until. And 
even if one manages to give rules, these often come at the price of additional 
difficulties for, or even the impossibility of, proving useful metatheoretic proper- 
ties, such as normalization or the subformula property. (This is even more so in 
the case of Hilbert-style axiomatizations, which provide axioms for until, but are 
not easily usable for proof construction.) See, for instance, |H2l7ll2ll3l20j . where 
techniques for formalizing suitable inference rules include introducing additional 
information (such as the use of a Skolem function f(A\JB) to name the time 



instant where B begins to hold), or exploiting the standard recursive unfolding 
of until 

AUB = B V (A AX(AUB)) (1) 

which says that A\JB iff either B holds or A holds and in the successor time 
instant (as expressed by the next operator X) we have again AUB. 

In this paper, in contrast, we make explicit the duality of until by introducing 
a new temporal operator V that allows us to formalize the "history" of until, 
i.e., the fact that when we have AUB the formula A holds in all the time instants 
between the current one and the one where B holds. We express this "historic" 
universal quantification by means of V with respect to the following intuitive 
translation: 

AUB = B V F(XB A VA) (2) 

That is: AUB iff either B holds or there exists a time instant w' in the future 
(as expressed by the sometime in the future operator F) such that 

— B holds in the successor time instant, and 

— A holds in all the time instants between the current one and w' (included). 

The latter conjunct is precisely what the history operator V expressed- This is 
better seen when introducing labeling: since V actually quantifies over the time 
instants in an interval (delimited by the current instant and the one where the 
B of the until holds), we adopt a labeling discipline that is slightly different from 
the more customary one of labeled deduction. 

The framework of labeled deduction has been successfully employed for several 
non-classical, and in particular modal and temporal, logics, e.g., [8121122) . since 
labeling provides a clean and effective way of dealing with modalities and gives 
rise to deduction systems with good proof-theoretical properties. The basic idea 
is that labels allow one to explicitly encode additional information, of a semantic 
or proof-theoretical nature, that is otherwise implicit in the logic one wants to 
capture. So, for instance, instead of a formula A, one can consider the labeled 
formula b : A, which intuitively means that A holds at the time instant denoted 
by b within the underlying Kripke semantics. One can also use labels to specify 
how time instants are related, e.g., the relational formula bRc states that the 
time instant c is accessible from b. 

Considering labels that consist of a single time instant is not enough for V, 
as the operator is explicitly designed to speak about a sequence of time instants 
(namely, the ones constituting the history of the corresponding until, if indeed 
V results from the translation of an U). We thus consider labels that are built 
out of a sequence of time instants, so that we can write 0:6163 : VA to express, 
intuitively, that A holds in the interval between time instants b\ and 63, which 
together with the sub-sequence a constitute a sequence of time instants 016163. 

1 This is in contrast to the unfolding |TJ. The decoupling of U that we achieve with 
V is precisely what allows us to give well-behaved (in a sense made clearer below) 
natural deduction rules. 
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This allows us to give the natural deduction elimination rule 

a&i&3 : VA bi ^ b 2 62 ^ 63 

TT a 

ab\b 2 : A 

that says that if VA holds at time instant 63 at the end of the sequence abib^ 
and if 62 is in-between b\ and 63, as expressed by the relational formulas with 
the accessibility relation ^, then we can conclude that A holds at 62. 

Dually, we can introduce VA at time instant 63 at the end of the sequence 
a&i&3 whenever from the assumptions b\ ^ bi and bi sC 63 for a fresh 62 we can 
infer ab\bi : A, i.eJl,: 

[61 < 62] [62 < 63] 

abib 2 : A 
Q6163 : VA 

The adoption of time instant sequences for labels has thus allowed us to give 
rules for V that are well-behaved in the spirit of natural deduction [T7]: there 
is precisely one introduction and one elimination rule for V, as well as for the 
other connectives and temporal operators (d, G, and X). This paves the way to 
a proof-theoretical analysis of the resulting natural deduction systems, e.g., to 
show proof normalization and other useful meta-theoretical analysis, which we 
are tackling in current work. 

Moreover, the rules VI and VE provide a clean-cut way of reasoning about 
until, according to the translation ([2]) , provided that we also give rules for F and 
X. These operators have a local nature, in the sense that they speak not about 
sequences of time instants but about single time instants. Still, we can easily 
give natural deduction rules for them by generalizing the more standard "single- 
time instant" rules (e.g., [1I2I12I16I21I22I23] ) using our labeling with sequences 
of time instants. As we will discuss in more detail below, if we collapse the 
sequences of time instants to consider only the final time instant in the sequence 
(or, equivalently, if we simply ignore all the instants in a sequence but the last), 
then these rules reduce to the standard ones. For instance, for the always in 
the future operator G (the dual of F) and X, with the corresponding successor 
relation <3, we can give the elimination rules 

abi : GA bi ^ b 2 ^ abi : XA bi < b 2 X£ , 

abib 2 : A '" and abib 2 : A 

The rule GE says that if GA holds at time instant bi, which is the last in the 
sequence ab\ and 62 is ^-accessible from b\ (i.e., b\ ^ 62), then we can conclude 
that A holds for the sequence ab\bi- The rule XE is justified similarly (via <). 
The corresponding introduction rules are given in Section FH together with rules 
for _L and the connective D, as well as a rule for induction on the underlying 
linear ordering. As we will see, we also need rules expressing the properties of the 

2 The side condition that b 2 is fresh means that b 2 is different from bi and 63 , and does 
not occur in any assumption on which ab\b 2 : A depends other than the discarded 
assumptions b\ < 62 and b 2 < &3- 
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relations ^ and <. Moreover, the fact that we consider sequences of time instants 
as labels requires us to consider some structural rules to express properties of 
such sequences (with respect to formulas). 

This approach thus provides the basis for formalizing deduction systems for 
temporal logics endowed with the until operator. For concreteness, we give here 
a labeled natural deduction system for a linear-time logic endowed with the new 
history operator V and show that, via a proper translation, such a system is also 
sound and complete with respect to the linear temporal logic LTL with until. 
(We do not consider past explicitly here, but adding operators and rules for it 
should be unproblematic, e.g., as in [23].) 

We proceed as follows. In Section[2j we briefly recall the syntax and semantics 
of LTL, and an axiomatization for it. In Section [31 we define LTL^j, the logic 
that is obtained from LTL by replacing U with the history V, and give a validity- 
preserving translation, based on $2§, from LTL into LTLy In Section 01 we give 
a labeled natural deduction system Af(LTL^) that it is sound with respect to 
the semantics of LTL\j. By focusing only on those derivations whose conclusion 
and open assumptions correspond to the translation of LTX-formulas, we show 
that M{LTL\j) can be used to capture reasoning in LTL and that it is in fact 
sound and complete with respect to the semantics of LTL. In Section O we draw 
conclusions and illustrate directions of current and future work. Full proofs are 
given in the appendix. 

2 The Linear Temporal Logic LTL 

We recall the syntax and semantics of LTL and an axiomatization for it. 

Definition 1. Given a set V of prepositional symbols, the set of (well-formed) 
LTL-formulas is defined by the grammar 

A ::= p |_l_ j A D A \ GA \ XA \ A\JA 

where p € V . The set of LTL- atomic formulas is V U {J-}. The complexity of 
an LTL-formula is the number of occurrences of the connective D and of the 
temporal operators G, X, and U. 

The intuitive meaning of G, X, and U is the standard one: GA states that A 
holds always in the future, XA states that A holds in the next time instant, and 
A(JB states that B holds at the current time instant or there is a time instant 
w in the future such that B holds in w and A holds in all the time instants 
between the current one and w. As usual, we can introduce abbreviations and 
use, e.g., -i, V and A for negation, disjunction, and conjunction, respectively: 
->A = A D_L, AV B = ->A D B, and A A B = -.(-A V ->B). We can also define 
other temporal operators, e.g., FA = -iG-i/1 to express that A holds sometime 
in the future. We write A to denote a set of LTL-formulas. 

Definition 2. Let Af — (N, s : N — > N, <) be the standard structure of natural 
numbers, where s and < are respectively the successor function and the total 
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(reflexive) order relation. An LTL-model is a pair AA = (AT, V) where V : N — > 
2 V . Truth for an LTL-formula at a point n e N in an LTL-model X = (A/ - , V) 
is the smallest relation Ktl satisfying: 



M,n Ktl P 


iff 


p e V(n) 


M,ti\= ltl AdB 


iff 


Ai, n Ktl A implies Ai, n \= hTL B 




iff 


AA, m Ktl A for all m > n 


A4,n Ktl 


iff 


M,U + l Ktl A 


M,n Ktl ^UB 


iff 


there exists n' > n such that AA, n! \= 
and AA, m \= LTL A for all n < m < n' 



LTL B 



Note that Ai, n¥ LTL _L for every Ad and n. By extension, we write: 

AA Ktl A iff A4,n \= LTL A for every natural number n 
■M Ktl A iff M |=ltl A. for all A e A 
A Ktl A iff M Ktl ^ implies AA \= LTL A, for every LTZ^model AA 



We now present a sound and complete Hilbert-style axiomatization, which 
we call TL(LTL), for LTL (see, e.g., [10]). 7i(LTL) consists of the axioms 

(AI) Any tautology instance (A2) G(A D 23) D (GA D G23) 

(A3) (X^A^^XA) (A^) X(A D B) Z) (XA D XB) 

(AS) GA D A A XGA (A(J) G(A D XA) D (A D GA) 

(A7) AUB <-> (B V (AAX(AUB))) (AS) AUB D F23 

where we denote with <-> the double implication, and of the rules of inference 

(MP) If A and A D B then S (Necx) If A then XA (7Vec G ) If A then GA 

The set of theorems of H(LTL) is the smallest set containing these axioms 
and closed with respect to these rules of inference. 



3 LTL W : LTL with history 



In this section, we give the linear temporal logic LTL\j, which is obtained from 
LTL by replacing the operator U with a new unary temporal operator V, called 
history. The definition of the semantics of LTL\j requires a notion of truth given 
with respect to sequences of time instants rather than just to time instants. We 
will then provide a translation from the language of LTL into the language of 
LTL\7 and show some properties of such a translation. 
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3.1 Syntax and semantics 

Definition 3. Given a set V of propositional symbols, the set of (well-formed) 
LTL\7 -formulas is defined by the grammar 

A ::= p | _1_ | A D A \ GA \ XA \ VA 

where p £ V . The set of LTL\j-atomic formulas is V U {J-}. The complexity of 
an LTLv-forniula is the number of occurrences of the connective D and of the 
temporal operators X, G, and V. 

The intuitive meaning of the operators G and X is the same as for LTL, 
while VA intuitively states that A holds at any instant of a particular time 
interval (but here we see that we need sequences of time instants to formalize 
the semantics of the history operator, as we anticipated in the introduction). 
Again, we can define other connectives and operators as abbreviations, e.g., -i, 
V, A, F and so on. We write r to denote a set of LTLy -formulas. 

To define a labeled deduction system for the logic LTL^, we extend the 
language with a set of labels and finite sequences of labels, and introduce the 
notions of labeled formula and relational formula. 

Definition 4. Let £ be a set of labels. A finite non-empty sequence of labels 
(namely, an element of £ + ) is called a sequence. If A is an LTL-y -formula and a 
is a sequence, then a : A is a labeled (well-formed) formula (Iwff for short). The 
set of relational (well-formed) formulas (rwffs for short) is the set of expressions 
of the form b ^ c or b <] c, where b and c are labels. 

In the rest of the paper, we will assume given a fixed denumerable set C of 
labels and we will use b,c,d,... to denote labels, a, /3, 7 to denote finite sequences 
of labeliU (e.g., bed. . . or just b in the case of a sequence consisting of only one 
time instant), ip to denote a generic formula (either labeled or relational) and 
<P to denote a set of generic formulas. 

Definition 5. An observation sequence is a non-empty sequence a = [no, . . . , 
rifc] of natural numbers. Truth for an LTLy-formula at an observation sequence 
a in an LTT^model M. = (TV, V) is the smallest relation ^ v satisfying: 



M, [n 0) ...,n k ]\= v p iff 

M,[n ,...,n k ] |= v AdB iff 

M, [no, . . . ,rifc] |= v GA iff 

M,[no,...,n k ] h v XA iff 

M,[nQ,...,nk-i,n k ]\= v VA iff 



p G V(rifc) 

M, [n , ■ ■ ■ ,rik] l= v A implies 

M, [n , . . . ,n k ] hv B 

M, [no, . . . , n/j, m] \= v A for all m > n k 

M, [n , . . . ,n fe ,n fe + 1] |= v A 

M, [n , . . . ,n k -i,m] |= v A 

for all n k -i < rn < n k (if < k) 



3 With a slight abuse of notation, we will also use a, j3, 7 to denote possibly empty 
subsequences and thus write abi . . . bk (for k > 1) to denote a sequence where a may 
be empty. 
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.M> ]hvVA iff MMK^ 
By extension, we write: 

M \= v A iff A4, a |= v A for every observation sequence a 
.M hv r ifl Hv A for all A e T 

r |= v A iff Hv r implies A1 |= v A > for evei T iTi^model M 

Given an LTL-mode\ Ai, a structure is a pair S = (M.,1) where X : £ — > N. Let 
E be the set of observation sequences and I + : C + — * E the extension of I to 
sequences, i.e., T + (bo ■ ■ ■ b n ) = [l(bo), . . . ,l(b n )]. Truth for a generic formula tp 
in a structure S — (M.,1) is the smallest relation |= v satisfying: 

M,I\= v a^b iff 1(a) < 1(b) 
M,l^ v a<ib iff 1(b) = 1(a) + 1 
M,l\=^a:A iff M,T+(a) hv A 

Note that .M, u J^ v _L and M.,1 J^ v q : _L for every X, cr and 1. 
Given a set <P of generic formulas and a generic formula (/?: 

hv V iff M,l \= v $ implies Ai,l^ v ^ for all M and I 



3.2 A translation from LTL into LTLt? 

LTL and LTL\r are, obviously, related logics. In fact, below we will define a 
validity-preserving translation (■)* from LTL into LTLy . Then, in Lemma[Tl we 
will show that if an LTLy-formula corresponds to the translation of some LTL- 
formula, then it can be interpreted "locally", i.e., its truth value with respect 
to an observation sequence depends only on the last element of the sequence. 
Finally, in Lemma [2] and Theorem [1] we will use this result to prove that the 
translation preserves the validity of formulas. This property allows us to use the 
deduction system for LTL\j, which will be presented in Section [4j for reasoning 
on LTL too, as we will show in Section 14.21 when discussing soundness and 
completeness of the system. 

Definition 6. We define the translation (•)* from the language of LTL into the 
language of LTL^j inductively as follows: 



(p)* = p , for p atomic 

(GA)* =G(A)* 

(±)* = _L 

(XA)* =X(A)* 

(A D B)* = (A)* d (B)* 

(A\JB)* — (B)* V ( F (X(B)* A V(A)* )) 
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We extend (•)* to sets of formulas in the obvious way: A* = {B* \ B £ A}. 

Lemma 1. Let M. be an LTL-model, [rii, . . . , n^] an observation sequence, and 
A an LTL-formula. Then M., [n\, . . . , rik] (= v A* iff A4,[mi, . . . ,m r ,nk] \= v A* 
for every sequence mi, . . . , m r . 

Corollary 1. Let M. be an LTL-model, [rii, . . . , nfc] an observation sequence, 
and A an LTL-formula. Then A4, [n\, . . . , Ufe] |= v A* iff M., [nk] A* . 

Lemma 2. Let M. be an LTL-model, n a natural number, and A an LTL- 
formula. Then A4,n \= LTL A iff AA, [n] \= v A*. 

Theorem 1. Let A be a set of LTL- formulas, A an LTL-formula and A* = 
{B* | Be A}. Then A \= lTL A iff A* \= v A* . 

Proof. By Definition H A \= LTL A iff VM.M \= LTL A implies M \= LTL A iff 
VM.(VB e A.Vn.M,n \= LTL B implies Vn. M,n \= LTL A) iff (by Lemma [2J) 
VM.(VB e A.Vn.M,[n] |= v B* implies Vn.M,[n] h v A * ) ifr ( b Y Lemma 
P VM.(VB e A.Va.M,a |= v B* implies Vct.X,ct hv ^* ) iff ( b Y Definition 
[3 VM. {VB eAMK B * implies .M ^ v A* ) iff VM (M (== v A * implies 
Mhv ^*) iff A* h v 



4 A/"(XTiv) : a labeled natural deduction system for 
£T£ V 

In this section, we will first define a labeled natural deduction system J\f(LTL^) 
that is sound with respect to the semantics of LTL\j . Then, by considering 
a restriction of the set of 7V(£TLv)-derivations and by using the translation 
(•)* and the related results, we will show that M(LTL\/) can be also used for 
reasoning on LTL: we will prove soundness with respect to the semantics of LTL 
and we will give a proof of weak completeness with respect to LTL, by exploiting 
the Hilbert-style axiomatization TL(LTL). 

4.1 The rules of M{LTL^) 

The rules of Af(LTL^) are given in Figure [1] In N(LTL\j) we do not make 
use of a proper relational labeling algebra (as, e.g., in [55]) that contains rules 
that derive rwffs from other rwffs or even lwffs. Since we are mainly interested 
in the derivation of logical formulas, we rather follow an approach that aims 
at simplifying the system: we use rwffs only as assumptions for the derivation 
of lwffs (as in Simpson's system for intuitionistic modal logic [H]). Thus, in 
N(LTL\j) there are no rules whose conclusion is an rwff. 

The rules DL and Z)E are just the labeled version of the standard [T7] natural 
deduction rules for implication introduction and elimination, where the notion 
of discharged/open assumption is also standard; e.g., [a : A] means that the 
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[oti : A 31] [ Q 
a 2 :-L 



Ql : A 



■V] 



B a : i D 6 a : A 

Dl D-E 



[fcl < 62] 

06162 : A 
abi : GA 

[bi < 62] 



a : AD B 

[61 < 62 



GI 



q6i : GA 61 < b 2 
016162 : A 



GE 



A 



a ■ B 

Mb 3 /b 2 ]] 

61 <l 6 2 61 < 63 ip a 



A 

[61 sS 61] 



lin < 



afcifc 2 : A cxbi : XA fci <\ bo, 



abi ■ XA 
[fci ^ ba] [62 < b 3 ] 



XI 



XE 



[bi ^ 63] 
^1 ^ ^2 &2 ^ fc3 » : 



afci& 2 : A afcifc 3 : VA fci ^ fc 2 fc 2 ^ b 3 fib \ A b ^ b b < 5 Q fc . ^4 

V/ ; VE — 77 last : ; eq ^ 



afcifc3 : V-4 " * afcifc 2 : A v ab : A 1 

Mb 2 /bx]] [fci < b'] [b' < 6 2 ] [fci ^ 62] 



afc 2 : A 
[b ^ bi] [bi < b 3 ] [abi : A] 



fci ^ fc 2 y> a 



A 



split < 



fcl < fc 2 « 



base< 



abo : A fco ^ fc afcj : A 

afc : A 



The rules have the following side conditions: 



— In X/ (G/), fc 2 is fresh, i.e., it is different from fci and does not occur in any assumption on 
which afcifc 2 : A depends other than the discarded assumption fci < fc 2 (fci ^ fc 2 ). 

— In V/, fc 2 is fresh, i.e., it is different from fci and b%, and does not occur in any assumption on 
which afcifc 2 : A depends other than the discarded assumptions fci ^ fc 2 and fc 2 ^ f>3- 

— In last, the formula must be of the form A 1 , as defined in J3l ■ 

— In ser<j, fc 2 is fresh, i.e., it is different from fc and does not occur in any assumption on which 
a : A depends other than the discarded assumption fci <1 fc 2 . 

— In split <- , fc is fresh, i.e., it is different from fci and fc 2 and does not occur in any assumption 
on which a : A depends other than the discarded assumptions fci <] fc' and b' ^ fc 2 . 

— In ind, bi and bj are fresh, i.e., they are different from each other and from fc and bp, and do 
not occur in any assumption on which afcofcj : A depends other than the discarded assumptions 
of the rule. 



Fig. 1. The rules of Af(LTL v ) 
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formula is discharged in The rule J-E is a labeled version of reductio ad 
absurdum, where we do not constrain the time instant sequence (a^) in which 
we derive a contradiction to be the same (ai) as in the assumption. 

The rules for the introduction and the elimination of G and X share the same 
structure since they both have a "universal" formulation. Consider, for instance, 
G and the corresponding relation ^. The idea underlying the introduction rule 
GI is that the meaning of abi : GA is given by the metalevel implication b\ ^ 
62 ab\bi : A for an arbitrary 62 ^-accessible from 61 (where the arbitrariness 
of 62 is ensured by the side-condition on the rule). As we remarked above, the 
operators G and X have a local nature, in that when we write abi : GA (and 
similarly for abi : XA) we are stating that GA holds at time instant b\, which 
is the last in the sequence ab\. Hence, the elimination rule GE says that if &2 is 
^-accessible from b\ (i.e., b\ ^ 62), then we can conclude that A holds for the 
sequence ab\bi. Similar observations hold for X and the corresponding relation 
<. 

The rule ser< models the fact that every time instant has an immediate 
successor, while the rule lin < specifies that such a successor must be unique. 
ser< tells us that if assuming b\ < 62 we can derive a : A, then we can discharge 
the assumption and conclude that indeed a : A. lin < is slightly more complex: 
assume that b\ had two different immediate successors 62 and 63 (which we know 
cannot be) and assume that the generic formula (p holds; if by substituting 63 
for 62 in f we obtain a : A, then we can discharge the assumption and conclude 
that indeed a : A. 

Similarly, the rules refl^ and trans<^ state the reflexivity and transitivity 
of ^, while eq^ captures substitution of equalsQ The rule split < states that if 
bi ^ 62, then either b\ = 62 or b\ < 62- The rule thus works in the style of a 
disjunction elimination: if by assuming either of the two cases, we can derive a 
formula a : A, then we can discharge the assumptions and conclude a : A. Since 
we do not use = and < explicitly in our syntax, we express such relations in an 
indirect way: the equality of b\ and 62 is expressed by replacing one with the 
other in a generic formula <p, < by the composition of < and ^. 

The rule base^ expresses the fact that ^ contains <3, while the rule ind models 
the induction principle underlying the relation between < and ^. If (base case) 
A holds in abo and if (inductive step) by assuming that A holds in abi for an 
arbitrary hi ^-accessible from bo, we can derive that A holds also in abj, where 
bj is the immediate successor of bi, then we can conclude that A holds in every 
ab such that b is ^-accessible from & @ 

Finally, we have three rules that speak about the history and the label se- 
quences: the rules VI and WE, which we already described in the introduction, 

4 Recall that in this paper we use rwffs only as assumptions for the derivation of lwffs, 
so we do not need a more general rule that concludes ^[62/61] from tp, bi ^ 62 and 
62 «S 61. 

5 The rule is given only in terms of relations between labels, since we restrict the 
treatment of operators in the system to the specific rules for their introduction and 
elimination. 
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and last. This rule expresses what we also anticipated in the introduction: the 
standard operators (and connectives) of LTL speak not about sequences of time 
instants but about single time instants, and thus if a formula A whose outer- 
most operator is not V holds at /3b, then we can safely replace (3 by any other 
sequence a and conclude that A holds at ab. To formalize this, we define the set 
of (well- formed) LTL 1 -formulas (denoted by A 1 ) by means of the grammar 

A 1 ::= p \±\ (A 1 ) D (A 1 ) | G(A iV ) | X(A lv ) (3) 
A lv A 1 \ (A lv ) D (A lv ) | V(A iV ) 

where p is a propositional symbol. Hence, in a formula A 1 , the history operator 
V can only appear in the scope of a temporal operator G (and thus of F as in 
the translation @) or X. The rule last applies to these formulas only; in fact, 
the "Z" in A 1 stands for "last" , but it also conveniently evokes both "local" and 
"LTL". For formulas VA whose outermost operator is the history operator V, 
such a rule does not make sense (and in fact is not sound) as it would mean 
changing the interval over which A holds. 

Such considerations are formalized in the following lemma, where we prove, 
for LTi'-formulas, a result that is the analogous of the one given in Lemma [1] 
with respect to the translation of LT7^formulas|f] At the same time, we also prove 
that if A is a formula belonging to the syntactic category A lv of the grammar ([3]) 
(we will call such formulas LTL lv -formulas), then the truth value of A depends 
on at most the last two elements of an observation sequence. 

Lemma 3. Let M. be an LTL-model, [m, ■ ■ ■ , n k ] an observation sequence, A 1 an 
LTL 1 -formula and A lv an LTL 1 ^ 7 -formula. Then: (i) M., [n\, . . . , n k ] ^ v A 1 iff 
A4, [mi, . . . , m r , n k ] ^ v A 1 for every sequence mi, . . . , m r and (ii) M., \n\, . . . , 
n k -i, n k ] ^ v A lv iff M, [mi, . . . ,m r ,n k -i,n k ] hv ^ V f or ever V sequence 
mi, . . . ,m r . 

Given the rules in Fig. [TJ the notions of derivation, assumption {open or 
discharged, as we remarked) and conclusion are the standard ones for natural 
deduction systems [T7]. We write $ h v a : A to say that there exists a derivation 
of a : A in the system N(LTL\j) whose open assumptions are all contained in the 
set of formulas <L>. A derivation of a : A in N(LTL\j) where all the assumptions 
are discharged is a proof of a : A in J\f{LTL\j) and we then say that a : A is a 
theorem of J\f{LTL\j) and write h v a : A. 

To denote that LI is a derivation of a : A whose set of assumptions may 
contain the formulas tpi, . . . ,tp n , we write 

tpi...tp n 

n 

a : A 

If we are interested in LTL- reasoning, then we can restrict our attention 
to a subset of the JV(LTL^) -derivations, namely, to the derivations where the 
conclusion and all the open assumptions correspond to the translations of LTL- 
formulas. 

6 In fact, Lemma [1] is a direct consequence of Lemma [3] and of Lemma [4] below. 
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Definition 7. Let 77 be a derivation in N(LTL\j) and <P the set containing the 
conclusion and the open assumptions of 77. We say that 77 is an LTL- derivation 
iff there exists a label b such that for every cp in <L> there exists an LTT^formula 
A such that ip = b : A*. We write A \~ LTL A to denote that in M(LTLy) there 
exists an 777-derivation of b : A* from open assumptions in a set <P, where 
A = {B | b : B* e <Z>}. 

In Definition we require all the open assumptions and the conclusion of 
an 777-derivation to be lwffs labeled by the same single label b. Note that, as a 
consequence of Corollary [TJ we would obtain the same notion of 7T7v-derivation 
by requiring instead that such formulas were labeled by the same sequence a. 

In Section |4~2I we will show that Af(LTL^) is sound with respect to the se- 
mantics of LTLy and, by considering the notion of 7T7v-derivability \~ LTL , that it 
is sound and weakly complete with respect to LTL. An investigation of complete- 
ness with respect to LTLy is left for future work, together with the formalization 
of an axiomatization of LTL^j . 

Related to this, it is important to understand what exactly is the relationship 
of the class of LTX'-formulas and the class of LTT^formulas, in particular with 
respect to the translation (•)*. It is not difficult to see that the co-domain of the 
translation is included in LTL 1 by construction of (•)*, i.e., by induction on the 
formula complexity it follows that: 

Lemma 4. If A is an LTL-formula, then A* is an LTL 1 -formula. 

The other direction is trickier, as it basically amounts to defining an inverse 
translation. To solve this problem, we have been considering normal forms of 
LTTy'-formulas and we conjecture that the following fact indeed holds. 

Conjecture 1. If A is an LTTj'-formula, then there exists an LTL- formula B such 
that B* is semantically equivalent to A. 

4.2 Soundness and completeness 

Theorem 2. For every set <L> of labeled and relational formulas and every labeled 
formula a: A, if <P h v a : A, then <P ^ v a : A. 

Proof. The proof proceeds by induction on the structure of the derivation of 
a : A. The base case is when a : A £ •P and is trivial. There is one step case for 
every rule and we show here only the two representative cases 

[h < 6 2 ] [62 «S 6 3 ] 
77 

/3bib 2 : B 

/3&1&3 : VB V/ and 

Some more cases are in Appendix IA.31 First, consider the case in which the 
last rule application is a V7, where a = /3&i&3, A = VB, and 77 is a proof 
of /36i&2 : B from hypotheses in with 62 fresh and with = U {61 $5 



77 

I3'b : A 

3b: A 



last 
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62} U {&2 *S ^3}- By the induction hypothesis, for every interpretation X, if 
A4,X |= v <P' , then M,X \= v (3b\b2 : B. We let X be any interpretation such that 

M,X hv *i and show that M,I |=v /3 6 i & 3 : VB - Lct ^1) = «> ^( & 3) = to 
and X + (f3) — [m, . . . , n^]. Since &2 is fresh, we can extend X to an interpretation 
(still called X for simplicity) such that 1(62) = n + i for an arbitrary < i < m. 
The induction hypothesis yields M,X |= v /5&i&2 : 5, i.e., A4, [ni, . . . , n/., n, n + 
i] |= v _B, and thus, since i is an arbitrary point between and m, we obtain 
M, [m, ...,n k ,n,n + m] \= v VS. It follows M,X |= v /%!&3 : VS. 

Now consider the case in which the last rule applied is last and a = flb, 
where 77 is a proof of [3'b : A from hypotheses in <P. By applying the induc- 
tion hypothesis on 77, we have (= v /3'& : A. We proceed by considering a 
generic 777-model Ai and a generic interpretation I on it such that A4,X |= v 
and showing that this entails Ai,X |= v /36 : A. By the induction hypothesis, 
M,I(= V /3'6 : A, i.e., M,X+(f3'b) h v ^ b y Definition [3 Since A is an LTL 1 - 
formula by the side condition of the rule and the two observation sequences 
I + (f3'b) and X + ([3b) share the same last element 1(b), we can apply Lemma [3] 
and obtain M,X+(f3b) ^ v A, i.e., M,X |= v (3b : A by Definition [3 

By exploiting the translation of Section and the notion of LTL- derivation 
of Definition [3 we also prove a result of soundness with respect to LTL. 

Theorem 3. For every set A of LTL-formulas and every LTL-formula A, if 

A ^ LTL A > theU A \=LTL A - 

Proof. By definition of \~ LTL , for a given label b, there exists a derivation in 
Af(LTLy) of b : A* from open assumptions in <P = {b : B* \ Be A}. By 
Theorem[2] <L> h v b : A* implies ^ v b : A* . Since b is generic, we have that for 
every LTZ-model M. and every interpretation X, M,X |= v <L> implies A4,X |= v 
b : A* iff for every natural number n, M, [n] ^ v A* implies M, [n] ^ v A* , 
where /l* = {7?* | B G /l}. By Lemma [TJ we infer that for every observation 
sequence a, M,cr (= v A* implies yV(,(7 ^ v A*. By Definition O /l* \= v A* and 
thus, by Theorem [TJ we conclude A \= LTL A. 

As we anticipated, an analysis of the completeness of Af(LTL\r) with respect 
to LTLy is left for future work. Here we discuss completeness with respect to 
LTL. The proposed natural deduction system consists of only unitary rules; 
consequently, it cannot be strongly complete for 77X0 Nevertheless, by using 
the axiomatization TL(LTL) and the translation (■)*, we can give a proof of weak 
completeness for it; namely: 

Theorem 4. For every LTL-formula A, if \= LTL A, then \~ LTL A. 

Proof. We can prove the theorem by showing that M(LTL^) is complete with 
respect to the axiomatization 77.(777) given in Section [21 which is sound and 

7 This is not a problem of our formulation: all the unitary deduction systems for 
temporal logics equipped with at least the operators X and G have such a defect; 
see, e.g., [El Ch. 6]. 
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complete for the logic LTL. That is, we need to prove that: (i) the translation, 
via (•)*, of every axiom of H(LTL) is provable in Af(LTL^) by means of an LTL- 
derivation, and (ii) the notion of h LTL is closed under the (labeled equivalent of 
the) rules of inference of H(LTL), Showing (ii) is straightforward and we omit it 
here. As an example for (i), we give here a derivation of the translation of (A6). 
The other cases are presented in Appendix I A. 41 



[b : G(A D XA)] 1 [b b,] 4 [6, : A] 4 

- GE — — last 



bbi : AD XA 



bbi : A 



bbi ■ XA 



DE 



lb, < fc,] 4 



[b : A] 2 [b < cf 



bbibj : A 
bj : A 



XE 



last 



c : A 
be : A 



b : GA 



last 
D 3 



b ■ AD GA 



Dl 



b : G(A D XA) D {A D GA) 



DI 1 



5 Conclusions 

The introduction of the operator V has allowed us to formalize the "history" 
of until and thus, via a proper translation, to give a labeled natural deduction 
system for a linear time logic endowed with V that is also sound and complete 
with respect to LTL with until. As we remarked above, we see this work as 
spawning several different directions for future research. First, the "recipe" for 
dealing with until that we gave here is abstract and general, and thus provides 
the basis for formalizing deduction systems for temporal logics endowed with 
U, both linear and branching time. We are currently considering CTL* and its 
sublogics as in [16118] and are also working at a formal characterization of the 
class of logics that can be captured with our approach. 

Second, the well-behaved nature of our approach, where each connective and 
operator has one introduction and one elimination rule, paves the way to a proof- 
theoretical analysis of the resulting natural deduction systems, e.g., to show proof 
normalization and other useful meta-theoretical properties, which we are tackling 
in current work. Moreover, we are also considering different optimizations of the 
rules. In particular, along the lines of the discussion about the rule last (and 
Corollary [1] and Definition [7]) , we are investigating to what extent we can use 
sequences as labels only when they are really needed, which would also simplify 
the proofs of normalization and other meta-propertiefl 

8 As an interesting side-track, we believe that the restrictions we imposed on formulas 
for the rule last, i.e., considering A 1 and A lv , is closely related, at least in spirit, to the 
focus on persistent formulas when combining intuitionistic and classical logic so as 
to avoid the collapse of the two logics into one, see [B] but also [419] . We are, after all, 
considering here formulas stemming from two classes (if not two logics altogether), 
and it makes thus sense that they require different labeling (single instants and 
sequences). 
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This is closely related to the formalization of the relationship between the 
class of LTL 1 -formulas and that of LTZ^formulas, which in turn will allow us 
to reason about the completeness of M(LTL^) with respect to the semantics 
of LTL\> and also to provide an axiomatization of LTL\j (thus treating it as a 
full-fledged logic as opposed to as a "service" logic for LTL as we did here). 

Finally, it is worth observing that several works have considered interval tem- 
poral logics, e.g., [315111114119] , While these works consider intervals explicitly, 
we have used them somehow implicitly here, as a means to formalize the dual 
nature of until via the history V, and this is another reason why it is interest- 
ing to reduce the use of label sequences as much as possible. A more detailed 
comparison of our approach with these works is left for future work. 

Acknowledgments This work was partially supported by the PRIN projects 
"CONCERTO" and "SOFT" . 
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A Proofs 



A.l Properties of the translation (•)* 

Proof of Lemma[l] By induction on the complexity of A. The base case is when 
A = p or A =_L and is trivial. There is one inductive step case for each connective 
and temporal operator. 

A = B D C. Then the translation of A is A* = B* D C*. By Definition EJ 
we obtain M, [rii, . . . , rife] hv B * 3 C* iff M, [rii, . . . , n k ] |= v B* implies 
Ad, [ni, . . . , hv C* . By the induction hypothesis, we see that this holds 
iff Ad, [mi, . . . , m r , n k ] h v B* implies Ad, [mi, . . . , m r , rife] hv C* for ev- 
ery sequence mi, . . . ,m r and thus, by Definition El iff for every sequence 
mi, ... , m r , Ad, [mi, . .. , m r , n k ] |=v B * 3 C*. 

A = GB. Then A* = GB* . By Definition El M, [n x , . . . , n k ] h v GB * iff Vm > 
Hfc. A1, [ni, . . . , nfc, m] hv B* iff (by the induction hypothesis) Vm > n k . Ad, 
[mi, . . . , m r , rife, m] hv B* for every sequence mi, . . . , m r iff (by Definition 
O Ad, [mi, . . . , m r ,rife] |= v GB*, for every sequence mi, . . . ,m r . 

A = XB. This case is very similar to the previous one and we omit it. 

A = BUC*. Then A* = C* V (F(XC** A VB*)). By Definition El we have Ad, 
[«i, . .., n k ] hv ^* iff (.M, [ni, . . . ,ra fe ] hv C* or -M, [ni, . . . , n fc ] hv 
F(XC* A VB*)) iff (X, [m, . . . ,n fc ] hv ^* or 3 ™ > «fc- (-^ [«i, ■ ■ ■ , «*, m] 
h v XC*AVB*))iff(X,[n 1 ,...,n fc ] h v ^* ° r 3m > n fe . (.M, [m, . . . , rife, m] 
K XC* and M,[ni,...,n fe ,m] hv VB*)) iff (M, [m, . . . , n k ] hv ^* 
or Elm > rifc. (.A/f, [ni, . . . , n k , m, m + 1] hv ^* and V/. rife < I < m im- 
plies 7W,[ni,..., Tifc, Z] hv B *)) iff (by the induction hypothesis) for ev- 
ery sequence mi, . . . , m r , we have (Ad, [mi, . . . , m r , rife] hv @* or Elm > 
rife. (Ad, [mi, m r , rife, m, m + 1] hv ^* ano - VL < Z < m implies 
.M, [mi, . . . , m r , rife, m, Z] h v ^*)) iff (by Definition EJ) At, [mi, . . . , m r , rife] 
h v C* V (F(XC* A VB*)) for every sequence mi, ... , m r . 

□ 

Proof of Corollary]]] Immediate, by Lemma [TJ □ 

Proof of Lemma\j^ By induction on the complexity of A. The base case is when 
A = p or A =_L and is trivial. As inductive step, we have a case for each 
connective and temporal operator. 

A = BdC. Then A* = B* D C* . We have Ad, n \= LTL B D C iff (by Definition 
D X,n hi,™ implies Ad,n \= LTL C iff (by the induction hypothesis) 
Ad, [n] hv B* implies X, [n] hv c * iff ( b Y Definition E} Ad, [n] h v B * 3 
C*. 

A = GB. Then A* = GB*. We have Ad, n \= LTL GB iff (by Definition EJ) Vm > 
n. Ad,m \= LTL B iff (by the induction hypothesis) Vm > n. Ad, [m] hv ^* 
iff (by Lemma [T]) Vm > n. Ad, [n, m] hv ^* iff (by Definition El) -M, [ri] |= v 
GB*. 

A = XB. This case is very similar to the previous one and we omit it. 
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A = BUC. Then A* = C* V (F(XC* A VB*)). We have At,n \= LTL A iff (by 
Definition [J) 3m > n. At, m \= LTL C and Vn'. n < n' < m implies At, n' \= LTL 
B iff At, n \= LTL C or (3m > n. At, m \= LTL C and Vn'. n < n' < m implies 
At,n' \= LTL B) iff (by the induction hypothesis) At, [n] |= v C* or (Elm > 
n.M,[m] hv C* and Vn'.n < n' < m implies At, [n'] hv B*) iff (by 
Lemma[TJ) At, [n] \= v C* or (3m > n. At, [n, m] (= v C* and Vn'. n < n' < m 
implies At, [n,n'] h v S*) iff At, [n] h v C* or (3/ > n. At, [n,l,l+ 1] hv 
C* and Vn'.n < n' < I implies M,[n,n'] hv B*) iff (by Definition [5} 
At, [n] C* or (^ > M M] hv XCI * A VB *) iff ( b y Definition O 
At, [raj h v C* V F(XC* A VB*). 

a 

A.2 The system Af(LTL^) 

Proof of Lemma The proofs of the statements (i) and (ii) proceed in par- 
allel and are by induction on the formula complexity. The base case is when 
A 1 = p or A 1 =_L and is trivial. There is one inductive step case for each other 
formation case coming from the recursive definition of the grammar (j3|). Along 
the proof, A l ,B l ,C 1 ,... denote LTl'-formulas while A lv , B lv , C lv , . . . denote 
LTL zv -formulas. 

A 1 =B l DC 1 . By Definitional we have At, [n 1} ..., n k ] h v B l D C l iff At, [rii, 
. . . , rife] hv implies At, [ni, . . . , nfc] hv C l . By the induction hypothesis, 
we see that this holds iff At, [mi, . . . , m r , n k ] hv B l implies At, [mi, . . . , 
Tn r , rife] hv C f°r ever y sequence mi, . . . , m r and thus, by Definition iff 
for every sequence mi, . . . , m r , At, [mi, . . . , m r , rife] hv B l D C l . 

A 1 = GB lv . At, [m, . . . , rife] hv GB ' V iff ( b Y Definition © Vrn > n fc . At, 
[ni, . . . , rife, m] hv -^' V iff (by the induction hypothesis) Vm > nfe. At, 
[mi, . . . , m r , nfc, m] h v -^' V f°r every sequence mi, . . . , m r iff (by Definition 
[5]) At, [mi, . . . , m r , rik] hv GB' V for every sequence mi, m r . 

A 1 = X_B' V . This case is very similar to the previous one and we omit it. 

A lv = B l . At, [m, . . . ,rife] hv B l iff (by the induction hypothesis) At, [ii, . . . , 
i s , nfc] hv B l f° r every sequence i\...,i a and thus also At, [mi,..., 
m r , rife_i, nfc] h v f° r every sequence mi, . . . , m r . 

A iv =B ™ dC iv . At, [m, . . . , n fc ] hv => C' V ifr ( b y Definition© At, [m, 
. ..,rife] hv implies At, [rii, . . . , rife] hv C iV - By the induction hy- 

pothesis, this holds iff At, [mi, . . . , m r , n^-i, nfc] h v implies At, [mi, 
. . . , m r , rife_i, nfc] hv C iV f° r every sequence mi, . . . , m r and thus, by 
Definition [5l iff for every sequence mi, . . . , m r , At, [mi, . . . , m r , rife_i, nfc] 
h v B IV 3C iv . 

A' V =VB ZV . At, [ni,..., rife] hv VB ' V iff (by Definition O Vn.n fc _i<n< 
nfe implies At, [ni, . . . ,rife_i, n] hv -^' V iff (by the induction hypothesis) 
Vn. rifc_i < n < nfe implies At, [mi, . . . , m r , rife_i, n] hv f° r every 

sequence mi,...,m r iff (by Definition [5]) At, [mi, . . . , m r , rife_i, nfc] hv 
V£> iv for every sequence mi, . . . , m r . 

□ 
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A. 3 Soundness 



Proof of Theorem [H We present here some more cases related to the proof of 
Theorem [21 which states the soundness of the system N(LTLsj) with respect to 
the semantics of LTLxj. 

Consider the case in which the last rule application is a GJ, where a = (5b\ 
and A = GB: 

[h < 62] 
77 

Phh : B 
/%! : GB W 

where 77 is a proof of f5b\ : GB from hypotheses in with b 2 fresh and with 
<P' = <P U {61 ^ b 2 }. By the induction hypothesis, for all interpretations I, if 
Ai,X |= v <P' , then M..X |= v (3bib2 : B. We let X be any interpretation such that 
M,X |= v 0, and show that M,X hv P b i ■ GB - Let 2 ( b i) = 71 and = 
[ni, . . . , nfc]. Since 62 is fresh, we can extend 2" to an interpretation (still called 
X for simplicity) such that X(b 2 ) = n + m for an arbitrary m > 0. The induction 
hypothesis yields .M,I |= v Pbib 2 : 7?, i.e., .M, [n\, . . . , rife, n, n + m] |= v B, 
and thus, since m is arbitrary, we obtain A4, [n±, . . . , n,k,n] |= v GB. It follows 
M.7 | x fl&j : GIL 

Now consider the case in which the last rule applied is GE and a — {3b\b 2 : 

n 

Ph :GA bi< & 2 

/3&i6 2 : A GS 

where II is a proof of /3&i : GA from hypotheses in #1, with <P = <Pi U {61 ^62} 
for some set <2>i of formulas. By applying the induction hypothesis on 77, we 
have: 

<7>i h v : . 

We proceed by considering a generic 777^model M. and a generic interpretation 
X on it such that A4,X \= v <P and showing that this entails 

MIK /3&1&2 : A . 

Since <Z>i C ^, we deduce .M,X (= v ^1 and, from the induction hypothesis, 
X,Z |= v : GA. Furthermore M,I |= v * entails X,I |= v 61 < b 2 . Then, 
by Definition [5l we obtain M,X \= v /3&i&2 : -4- 

Now consider the case in which the last rule applied is VE and a — f3bib 2 : 

n 

Phb 2 : A VE 

where 77 is a proof of /%i&3 : VA from hypotheses in #1, with $ = $iU {61 $5 
b 2 }U{b 2 ^ ^3} for some set <Pi of formulas. By applying the induction hypothesis 
on 77, we have: 

*i hv : VA . 
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We proceed by considering a generic 777^model M. and a generic interpretation 
X on it such that M,X \= v <S> and showing that this entails 

MJhv (3b x b 2 :A. 

Since <Pi C <P, we deduce M,X \= v <£>\ and, from the induction hypothesis, 
M,I h v : VA Furthermore .M, J |= v $ entails M,X \= v bi ^ b 2 and 

|= v 62 < b 3 . Then, by Definition we obtain M,X hv /36i&2 : A 
Finally, consider the case in which the last rule applied is ind and a — (3b: 

[b <k] [b i <b j ] \Ph-.A] 

w n 

Pb :A b ^b f3bj : A 



where 77 is a proof of (3b j : A from hypotheses in ^2 and II' is a proof of 
(3b : A from hypotheses in <?i, with = $i U {fe ^ &} and <P 2 = $1 U {60 < 
6j} U {6i < 6j} U {/36i : A} for some set of formulas. The side-condition on 
ind ensures that bi and bj are fresh in II. Hence, by applying the induction 
hypothesis on 77 and 77', we have: 

<7> 2 hv 0bj ■ A and <£ x h v (3b :A. 

We proceed by considering a generic LTT^model M. and a generic interpretation 
X on it such that A4,X \= v <P and showing that this entails 

M,X^ V (3b: A. 

First, we note that <?i C and therefore M,X |= v implies .M,2T (= v ^ x and, 
by the induction hypothesis on 77', Ai,X h v (3bo : A. Now let I (bo) = n for 
some natural number n. From Ai,X |= v we deduce A4,X |= v bo ^ b and thus 
1(6) = n + k for some fc € N. We show by induction on k that A4,X |= v /3& : A. 
As a base case, we have k = 0; it follows that 7/(6) = X(&o) and thus trivially that 
A4,X |= v /36o : ^4 entails Ai,X h v (3b : A. Let us consider now the induction 
step. Given a label bk~i such that X(bk-i) = n+k—1, we show that the induction 
hypothesis A4,X |= v (3bk-i : ^4 entails the thesis .M,I hv /36 : A. We can build 
an interpretation X' that differs from X only in the points assigned to bi and 
6j , namely, X' = X[bi n + k — 1] [bj 1— > n + k] . It is easy to verify that the 
interpretation X' is such that the following three conditions hold: 

(i) M,X' hv Pbi-.A; 
(ii) M,X' hv bo < k; 
(Hi) M,X' hv bi < bj. 

Furthermore, the side-condition on the rule ind ensures that X and X' agree on 
all the labels occurring in <P\, from which we can infer Ai,X' h v ^i- ^ follows 
M 7 X' h v ^2 and thus, by the induction hypothesis on 77, M,X' h v Pbj '■ A. 
We conclude M,T hv P b : A by observing that X'(bj) = X(b). □ 
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A. 4 Completeness 



Proof of TheoremVQ We present here the A/"(£TLv)-derivations of the remaining 
axioms of H(LTL). Note that, for simplicity, we use also some rules (i.e., FJ, FE, 
VI, \/E, Al and f\E) concerning derived operators. They can be easily derived 
from the set of rules in Figure [TJ 



(A2) 



[b-.G(ADB)] 1 [b^cf 
be : A 5 B 



GB 



[b ■ GA] [b ^ c] 3 



be : A 



GB 



DE 



b : GB 



b : GA D GB 



DI 2 



b : G(A D B) D (GA D GB) 



DI 1 



(A3) {X^A <-> -iXA) 



[b-.X-.A] 1 [b<ic] 2 [b : XA] 3 [b < c] 



be 



XE 



be ■ A 



XE 



be :_L 
b : -^XA 
b : -,XA 



DE 



IE 3 



DI 1 



b : X-.A D ^XA 
[b<c] 2 [b<d] i [be : A] 3 



[b : ^XA] 1 



bd ■ A 
b : XA 



lin < 



xr 

DE 



be : -i A 
b : X^A 



XI 2 



b : -^XA D X^A 



DI 1 



(A4) This proof is similar to the one for (A2) and we thus omit it. 
(A5) 

[b-.GA] 1 [b^d] 6 

[Kc] 5 [c^d] 4 bd : A r GE 
transz- 



[b < c] 3 bd : A 

[b-.GA] 1 [b<:b] 2 rj— 4 

7~, * GB - — ; last 

bb : A , bed : A , 

t — r last i — FT G/ 4 

b : A „2 be : GA 

b : A < b: XGA r 
AJ 



base 1 ' 



b : A A XGA 
b : GA D (A A XGA) 



DI 1 



(A7) Note that, for brevity, we give here a derivation of a, clearly equivalent, 
simplified version of the translation of (A7). Namely, we consider F(X£> A VA) D 
(AAX(BVF(XBAVA))) instead of BVF(XB A VA) D BV(AAX(BVF(XBAVA))). 
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Left-to-right direction: 

[be : XB A Vi] 2 



AE 



be : VA [6 < 6] d [6 ^ c] 2 

6 : A b ■ X(B V F(XB A VA)) 

[6 : F(XB A VA)] 1 6 : A A X(B V F(XB A VA)) A/ 

F F 1 '^ 

b ■ A AX{B V F(XB A VA)) 

b : F(XB A VA) D (A A X(B V F(XB A VA))) Dl 

where TTi is the following derivation: 

[be : XB A VA] 2 

be : XB AB [c s: 6'] 5 

; 1 XB 

6c6' : B B 2 

bb ' . s (as * b<b' b<b" bb" : B V F(XB A VA) [bb' : B V F(XB A VA)] 6 

VI ; lirvl 



[6 c] 2 [6<16'] 4 66' : B V F(XB A VA) bb' ■ B V F(XB A VA) 

splits 

bb' : B V F(XB A VA) * 
X/ 4 



6 : X(B V F(XB A VA)) 

and II-i is the following derivation: 

[6c : XB A VA] 2 



AE 



bc:VA [b^d] la [d c] 8 

VE 



[6c:XBAVA] 2 [6^6"] fl [6"^d] 8 6d : A " ln 

; -ttt AB . ,, 7 . trans < 

be :XB [c < c' 6 < 6" 5 bd : A « 

; XB i i 6ase?. 

6cc' : B 6ci : A % 

— - — ; iasi — iasi 

66"cc' : B 7 66"d : A g 

bb"e :XB X/ 66" c : VA V ^ 

66"c : XB A VA A [6" < c] 5 

66" : F(XB A VA) F/ 
V/ 



66" : B V F(XB A VA) 



Right-to-left direction: in the following derivations, we denote with <p the 
formula b : A A X(B V F(XB A VA)). 



^ AB , „ [be : B] 3 [be : F(XB A VA)] 3 

6 : X(B V F(XB A VA)) [6 < e] 2 ^ ^ 

be: Bv F(XB A VA) XB 6 : F(XB A VA) 6 : F(XB A VA) 

6:F(XBAVA) 2 

6 : F(XB A VA) Ser< 

D/ 1 



6 : (A A X(B V F(XB A VA))) D F(XB A VA) 

where TTi is the following derivation: 

M 1 _ 

[b<e] 2 [6</] 5 [6e:B] 3 [6/ : B] 6 [6 6'] 7 [6'^6] 7 6 : A A 

fcT^- 6^ ^ 

iasr — ■ last 



bbf : B 5 66' : A 

66 : XB XJ ' 66 : VA V ' 

66 : XB A VA A [6 < 6] 4 

6 : F(XB A VA) ~ F/ 
6 : F(XB A VA) 
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iT 2 is the following derivation: 

[bee : XB A VA] 8 



ae 



bec-.B [c<f] 

beef : B XE 

~n — 5" last 

bef : B n 

be : XB AJ be : VA 

6c:XBAVA [b<c] 10 

[6 e] 9 [e < c] 8 b : F(XB A VA) " 

trans < 

[b <l e] 2 b: F(XB A VA) g % 

[be : F(XB A VA)] 3 b : F(XB A VA) ' 

p 

h : F(XB A VA) 

and il3 is the following derivation: 

[bee : XB A VA] 8 



AE 



bee : VA [e^d] 14 [d^c] 12 

VE 



[6</] 1J [b<le] 2 [/ ^ d]" bed : A 

Ml [d:A]" feed : A , 

[b<d] 12 V^A AE ~bd~A~ JaTA laSt 13 

■ split 1 / 

hd:A 

V/ 12 



be : VA 
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Proof of the axiom (A8) 

[be : XB A VA] 4 



f\E 



bc-.XB [c<d] 5 

bcd-.B XE 

bd : B [b sC d] 7 

[fc^c] 4 Kjf b:FB ~ ^ " 

,o trans ^ 

[b : B] 2 [c<td]° b :FB « CN 

last , ,,3 ; — — base c 



scr 



bb : B [b ^ b] J b ■ FB 

b~FB ~T " [b: F(XBAVA)] 2 b : FB 

[6 : B V (F(XB A VA))] 1 b:FB b : FB FE 

: vfi2 

D/ 1 



b : B V (F(XB A VA)) D FB 



